Last week I've made my research of these vulnerabilities and informed all developers (previous and current) of ZeroClipboard.

When I've downloaded ZeroClipboard in September 2011, when I was writing my article Attacks via clipboard (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-Oc
tober/008056.html), where I wrote about different attacks via clipboard, such as XSS, CAS (which leads to DoS or Code Execution), attacks on download managers which monitor clipboard (which leads to manual downloading of malware or even Automatic File Download), clipboard spamming, clipboard phishing and clipboard malwaring, I mentioned about it in the article. That my examples of JavaScript code (for IE) or ActionScript code (for all browses) can be used for such attacks, or to use ZeroClipboard.

Vulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning ZeroClipboard developed by original author (Joseph Huckaby). There are new versions, developed by new authors (Jon Rohan and James M. Greene), in which they became fixing these vulnerabilities - one XSS in 1.0.8 and another in 1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected.

Original version by Joseph has two flash-files (ZeroClipboard.swf and ZeroClipboard10.swf) and newer versions by Jon and James have only one flash-file (ZeroClipboard.swf).

----------
Details:
----------

In September 2011 I've not made any assessment of ZeroClipboard, so draw attention only on XSS via copying to buffer (it exists in test.html from archive of original ZeroClipboard, because flash-application doesn't sanitize input before copying into buffer, similarly as it can be used for above-mentioned XSS attacks via pasting). This XSS can be triggered at testing page, where information about copied text is shown and XSS occurs, or at pasting into html-forms (as described in my article).

In WP-Table-Reloaded XSS works just with parameter id (this is modified version of swf-file, so there are different modification of it). In official version of ZeroClipboard it'll not work without "&width&height", so it's needed to set all parameters.

Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but tens of thousands of swf-files (and sites with them) are vulnerable. For last 14,5 years I saw ZeroClipboard and similar flash-files (for copying into clipboard) at a lot of web sites. From small sites, till large sites, such as slideshare.net (this is just one more hole to those multiple holes, which I've informed them about during last years, and they always don't care about security of their site - or ignored vulnerabilities, or hiddenly fixed one hole without any response - typical lame approach, so this hole is going directly to full disclosure).